Techniques for Evolution-AwareRuntime Verification

Owolabi Legunsen, Yi Zhang, Milica Hadži-Tanović,

Grigore Roșu, Darko Marinov

ICST 2019

4/26/2019

CCF-1421503, CCF-1421575,CCF-1763788, CNS-1619275,CNS-1646305, CNS-1740916

Runtime Verification (RV)

• RV dynamically checks program executions against formal properties, whose violations can help find bugs• a.k.a. runtime monitoring, runtime checking, monitoring-oriented

programming, typestate checking, etc.

• RV has been around for decades, now has its own conference (RV)

•Many RV tools:

2

JavaMOP: a representative RV tool

Code + TestsJavaMOP

Violations

Properties

3

Example property: Collection_SynchronizedCollection (CSC)

4

…65: im = Collections.synchronizedList(…);66: for (IInvokedMethod iim : im) { … }…

SuiteHTMLReporter

TestOnClassListener

TestNG example: from RV of test executions to bugs

JavaMOP

CSC was violated on… SuiteHTMLReporter.java:66… asynchronized collec�on was accessed in thread−unsafe manner

Violations

…CSC

Manual inspection: multiple threads can access “im”

5

RV during Continuous Integration (CI)?

Developers

Version Control

Co

mm

it

Ch

ange

s

1

2

5

Fetch Changes

6 Release/Deploy

Builds per day:• Facebook: 60K*• Google: 17K• HERE: 100K• Microsoft: 30K• Single open-source

projects: up to 80

Releases per day• Etsy: 50

6

CI Server

?

Pass/Fail

* Android only; Facebook: https://bit.ly/2CAPvN9 ; Google: https://bit.ly/2SYY4rR ;HERE: https://oreil.ly/2T0EyeK ; Microsoft: https://bit.ly/2HgjUpw ; Etsy: https://bit.ly/2IiSOJP ;

• Observation: All prior RV techniques are evolution-unaware (Base RV)

• Base RV would re-incur entire overhead if re-run after each code change

Developers

Version Control

Co

mm

it

Ch

ange

s

1

2

5

6 Release/Deploy

7

CI Server

?

Pass/Fail

New Idea: Focus RV on code changes?

Code changes are typically very small relative to entire code base

Fetch Changes

0.97% of classes changed on average in our experiments

Contribution: Evolution-aware Runtime Verification

• Goal: leverage software evolution to scale RV better during testing

• Intended benefits:1. Reduce accumulated runtime overhead of RV across multiple program versions

2. Show developers only new violations after code changes

• Complementary to techniques that improve RV on single program versions• Faster RV algorithms for single program versions

• Running tests in parallel

• Improve properties to have fewer false alarms

8

How JavaMOP works

9

Code+

Tests

InstrumentationInstrumented Code + Tests

Execution

Monitors

Events

Violations

Properties

CSC

Collections.synchronizedList()Collection+.iterator()

We proposed three evolution-aware RV techniques

1. Regression Property Selection (RPS)• Re-monitors only properties that can be violated in parts of code affected by changes

2. Violation Message Suppression (VMS)• Shows only new violations after code changes

3. Regression Property Prioritization (RPP)• Splits RV into two phases:• critical phase: check properties more likely to find bugs on developer’s critical path • background phase: monitor other properties outside developer’s critical path

10The three techniques can be used together

Evolution-aware RV in JavaMOP

11

Code+

Tests

InstrumentationInstrumented Code + Tests

Execution

Monitors

Events

Violations

Properties

Code+

Tests

1. Regression Property Selection (RPS)

2. Violation Message Suppression (VMS)

3. Regression Property Prioritization (RPP)

Evolution-aware RV – Result Overview

• RPS and RPP significantly reduced accumulated runtime overhead of Base RV

• Average: from 9.4x to 1.8x

• Maximum: from 40.5x to 4.2x

• VMS showed 540x fewer violations than Base RV

• RPS did not miss any new violation after code changes

• In theory can miss, but empirically it did not

• See paper for details on VMS and RPP

12

Base RV during software evolution

13

A

TC TE

Code

Tests P2

P1

CSC

Properties

• Base RV re-monitors all properties after every code change• No knowledge of dependencies in the code, or between code and properties

Old Version: monitor CSC, P1, P2

New Version: re-monitor CSC, P1, P2

B

C

D

E

B

Δ = {B}

Regression Property Selection (RPS) Overview

Selected subset of properties are those that may generate new violations

14

RPSOld version of Code+Tests

All available properties

Subset of all available properties

New version of Code+Tests

Regression Property Selection (RPS) – step 1

15

A

TC

B D

E

TE

C

B

Re-monitors only properties that can be violated in parts of code affected by changes

Inheritance or Use

P2

P1

May Generate events for

CSCStep 1a: Build Class Dependency Graph (CDG) for new version

Step 1b: Map classes to properties for which the classes may generate events

Δ = {B}

Regression Property Selection (RPS) – step 2

16

A

TC

B D

E

TE

C

B

Re-monitors only properties that can be violated in parts of code affected by changes

Inheritance or Use

P2

P1

May Generate events for

CSCAffected classes: those that generate events that can lead to new violations after code changes

Step 2: Compute affected classes

Class X is affected if

1. X changed or is newly added

2. X transitively depends on a changed class, or

3. Class Y that satisfies (1) or (2) can transitively pass data to X

C

TC

D

A

Δ = {B}

Regression Property Selection (RPS) –Steps 3 & 4

17

A

TC

B D

E

TE

C

B

Re-monitors only properties that can be violated in parts of code affected by changes

Inheritance or Use

P2

P1

May Generate events for

CSC

C

TC

D

Step 3: Select affected properties – those for which affected classes may generate events

Step 4: Re-monitor affected properties: {CSC, P1}

• P2 is NOT re-monitored in the new version• Affected classes cannot generate P2 events• Saves time to monitor P2; does not show old P2 violations

A

Δ = {B}

Total RPS time must be less than Base RV time

18

Step 2: Compute affected classes

Step 3: Select affected properties

Step 4: Re-monitor only affected properties

Step 1a: Build Class Dependency Graph (CDG) for new version

Step 1b: Map classes to properties for which they may generate eventsAnalysis

Re-monitoring

Base RV (Re-monitor all properties)

Analysis Re-monitoringTime Savings

Total Time for RPS

Static and Fast

4.3% of RPS time

RPS Safety and Precision - Definitions

• Evolution-aware RV is safe if it finds all new violations that Base RV finds

• Evolution-aware RV is precise if it finds only new violations that Base RV finds

• RPS discussed so far is safe but not precise• Safe modulo CDG completeness, test-order dependencies, dynamic language features

19

Results of Safe RPS – ps1

20How can we improve these results?

• 20 versions each of 10 GitHub projects• Average project size: 50 KLOC• Average test running time without RV: 51 seconds

RPS variants that use fewer affected classesGoal: Reduce RV overhead by varying “what” set of affected classes is used to select properties

A

TC

B D

E

TE

C

B

Inheritance or Use

P2

P1

May Generate events for

CSC

C

TC

D

A What classes are used to select properties?

ps1

Changed classes (i.e., Δ)

Dependents of Δ

Dependees of Δ

Dependees of Δ’s Dependents

ps2

ps3

Δ = {B}

21

Using fewer affected classes can be (un)safe, e.g., ps2

A

TC

B D

E

TE

C

B

Inheritance or Use

P2

P1

May Generate events for

CSC

C

TC

D

Aclass D {

static void foo(boolean b) {if (b) { // P1 events}else { // No P1 events}

}}

class C {void getF() {

D.foo(B.b);}}

class B {- public static boolean b = false;

+ public static boolean b = true; }Δ = {B}

22

ps2 can be safe if C does not pass data to D

RPS variants that instrument fewer classesGoal: Reduce RV overhead by varying “where” selected properties are instrumented

A

TC

B D

E

TE

C

B

Inheritance or Use

P2

P1

May Generate events for

CSC

C

TC

D

A Where selected properties are instrumented (i ∈ {1,2,3})

psi

affected(Δ)

affected(Δ)c

third-party libraries

ps��

ps��

ps���

Δ = {B}

23

• have fewer violations• ~36% of RV overhead• excluding them can be safe

RPS Variants – Expected Efficiency/Safety Tradeoff

24

“more efficient than” “less safe than”

2 Strong RPS variants are safe under certain assumptions: ��� and ����

10 Weak RPS variants are unsafe; they trade safety for efficiency

RPS Results – Runtime Overhead

25Base RV RPS Variants

26

Base RV RPS Variants

RPS Results – Violations Reported

RPS Results – precision and safety

• VMS is precise – it shows only new violations• RPS is not precise – it shows two orders of magnitude more violations than VMS

• We manually confirmed whether all RPS variants find all violations from VMS

• Surprisingly, all weak RPS variants were safe in our experiments

27

Why weak RPS variants were safe in our experiments

• 75% of event traces observed by monitors involved only one class

• 32 of 33 new violations were due to changes whose effects are in ps3

• Additional scenarios captured by ps1 and ps2 did not lead to new violations

• We may have missed old violations when not tracking ps1 or ps2 scenarios

• 87% of old violations missed by excluding third-party libraries did not involve any event from the code

28

Regression Property Prioritization (RPP)

Combining RPS+RPP reduced RV overhead to 1.8x (from 9.4x) 29

All properties

M

N

M+1

N - 1

V1 V2 V3Criticalphase

Backgroundphase

…

…

Conclusion

• We proposed three evolution-aware RV techniques: RPS, VMS, RPP

• Our techniques reduced Base RV overhead from 9.4× to as low as 1.8×

• Taking evolution into account can significantly reduce Base RV overhead during software evolution

30

Owolabi Legunsen: legunse2@illinois.eduYi Zhang: yzhng173@illinois.eduMilica Hadži-Tanović: milicah2@illinois.edu

Grigore Roșu: grosu@illinois.eduDarko Marinov: marinov@illinois.edu